You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Kenny Moens (JIRA)" <ji...@apache.org> on 2008/01/21 11:29:34 UTC
[jira] Created: (WSS-98) Security Vurnability: Plaintext Usertoken
Profile
Security Vurnability: Plaintext Usertoken Profile
-------------------------------------------------
Key: WSS-98
URL: https://issues.apache.org/jira/browse/WSS-98
Project: WSS4J
Issue Type: Bug
Environment: Apache Axis 1.4 + WSS4J 1.5.3
Reporter: Kenny Moens
Assignee: Ruchith Udayanga Fernando
Priority: Critical
When the username and passwords are passed without digest, no password check is performed.
This can easily reproduced with the following SOAP Request::
<wsse:UsernameToken>
<wsse:Username>foo</wsse:Username>
<wsse:Password>bar</wsse:Password>
</wsse:UsernameToken>
When looking at the source code the password is in this case never checked.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Commented: (WSS-98) Security Vurnability: Plaintext
Usertoken Profile
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-98?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588577#action_12588577 ]
Colm O hEigeartaigh commented on WSS-98:
----------------------------------------
This bug is essentially a duplicate of WSS-54 and can be closed.
> Security Vurnability: Plaintext Usertoken Profile
> -------------------------------------------------
>
> Key: WSS-98
> URL: https://issues.apache.org/jira/browse/WSS-98
> Project: WSS4J
> Issue Type: Bug
> Environment: Apache Axis 1.4 + WSS4J 1.5.3
> Reporter: Kenny Moens
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: plaintext_security_leak.diff
>
>
> When the username and passwords are passed without digest, no password check is performed.
> This can easily reproduced with the following SOAP Request::
> <wsse:UsernameToken>
> <wsse:Username>foo</wsse:Username>
> <wsse:Password>bar</wsse:Password>
> </wsse:UsernameToken>
> When looking at the source code the password is in this case never checked.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Updated: (WSS-98) Security Vurnability: Plaintext Usertoken
Profile
Posted by "Kenny Moens (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-98?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kenny Moens updated WSS-98:
---------------------------
Attachment: plaintext_security_leak.diff
The patch for this problem.
> Security Vurnability: Plaintext Usertoken Profile
> -------------------------------------------------
>
> Key: WSS-98
> URL: https://issues.apache.org/jira/browse/WSS-98
> Project: WSS4J
> Issue Type: Bug
> Environment: Apache Axis 1.4 + WSS4J 1.5.3
> Reporter: Kenny Moens
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: plaintext_security_leak.diff
>
>
> When the username and passwords are passed without digest, no password check is performed.
> This can easily reproduced with the following SOAP Request::
> <wsse:UsernameToken>
> <wsse:Username>foo</wsse:Username>
> <wsse:Password>bar</wsse:Password>
> </wsse:UsernameToken>
> When looking at the source code the password is in this case never checked.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Assigned: (WSS-98) Security Vurnability: Plaintext Usertoken
Profile
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-98?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin reassigned WSS-98:
------------------------------
Assignee: Fred Dushin (was: Ruchith Udayanga Fernando)
> Security Vurnability: Plaintext Usertoken Profile
> -------------------------------------------------
>
> Key: WSS-98
> URL: https://issues.apache.org/jira/browse/WSS-98
> Project: WSS4J
> Issue Type: Bug
> Environment: Apache Axis 1.4 + WSS4J 1.5.3
> Reporter: Kenny Moens
> Assignee: Fred Dushin
> Priority: Critical
> Attachments: plaintext_security_leak.diff
>
>
> When the username and passwords are passed without digest, no password check is performed.
> This can easily reproduced with the following SOAP Request::
> <wsse:UsernameToken>
> <wsse:Username>foo</wsse:Username>
> <wsse:Password>bar</wsse:Password>
> </wsse:UsernameToken>
> When looking at the source code the password is in this case never checked.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Resolved: (WSS-98) Security Vurnability: Plaintext Usertoken
Profile
Posted by "Fred Dushin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-98?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fred Dushin resolved WSS-98.
----------------------------
Resolution: Duplicate
> Security Vurnability: Plaintext Usertoken Profile
> -------------------------------------------------
>
> Key: WSS-98
> URL: https://issues.apache.org/jira/browse/WSS-98
> Project: WSS4J
> Issue Type: Bug
> Environment: Apache Axis 1.4 + WSS4J 1.5.3
> Reporter: Kenny Moens
> Assignee: Fred Dushin
> Priority: Critical
> Attachments: plaintext_security_leak.diff
>
>
> When the username and passwords are passed without digest, no password check is performed.
> This can easily reproduced with the following SOAP Request::
> <wsse:UsernameToken>
> <wsse:Username>foo</wsse:Username>
> <wsse:Password>bar</wsse:Password>
> </wsse:UsernameToken>
> When looking at the source code the password is in this case never checked.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[jira] Issue Comment Edited: (WSS-98) Security Vurnability:
Plaintext Usertoken Profile
Posted by "Kenny Moens (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-98?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12560976#action_12560976 ]
kenny edited comment on WSS-98 at 1/21/08 2:32 AM:
---------------------------------------------------------
Attached you can find a patch for this problem.
was (Author: kenny):
The patch for this problem.
> Security Vurnability: Plaintext Usertoken Profile
> -------------------------------------------------
>
> Key: WSS-98
> URL: https://issues.apache.org/jira/browse/WSS-98
> Project: WSS4J
> Issue Type: Bug
> Environment: Apache Axis 1.4 + WSS4J 1.5.3
> Reporter: Kenny Moens
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: plaintext_security_leak.diff
>
>
> When the username and passwords are passed without digest, no password check is performed.
> This can easily reproduced with the following SOAP Request::
> <wsse:UsernameToken>
> <wsse:Username>foo</wsse:Username>
> <wsse:Password>bar</wsse:Password>
> </wsse:UsernameToken>
> When looking at the source code the password is in this case never checked.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org